CPP: Add test cases for PotentiallyDangerousFunction.

geoffw0 · geoffw0 · commit a1e503f4282c · 2019-04-04T16:26:53.000+01:00
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.expected
@@ -1,3 +1,3 @@
-| test.c:28:22:28:27 | call to gmtime | Call to gmtime is potentially dangerous |
-| test.c:39:2:39:5 | call to gets | gets does not guard against buffer overflow |
-| test.c:40:6:40:9 | call to gets | gets does not guard against buffer overflow |
+| test.c:31:22:31:27 | call to gmtime | Call to gmtime is potentially dangerous |
+| test.c:42:2:42:5 | call to gets | gets does not guard against buffer overflow |
+| test.c:43:6:43:9 | call to gets | gets does not guard against buffer overflow |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c
@@ -21,6 +21,9 @@ struct tm {
 
 struct tm *gmtime(const time_t *timer);
 time_t time(time_t *timer);
+struct tm *localtime(const time_t *timer);
+char *ctime(const time_t *timer);
+char *asctime(const struct tm *timeptr);
 
 // Code under test
 
@@ -39,3 +42,10 @@ void testGets() {
 	gets(buf1); // BAD: use of gets
 	s = gets(buf2); // BAD: use of gets
 }
+
+void testTime()
+{
+	struct tm *now = localtime(time(NULL)); // BAD: localtime uses shared state [NOT DETECTED]
+	char *time_string = ctime(time(NULL)); // BAD: localtime uses shared state [NOT DETECTED]
+	char *time_string2 = asctime(now); // BAD: localtime uses shared state [NOT DETECTED]
+}
